Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Disclosure and Accounting of Protected Records by CMS Between 2006 and 2011


CMS maintains millions of records containing financial and health-related information. Inappropriate disclosures of records or data maintained in a system of records (SOR) can result in loss of privacy or fraudulent activities. The Privacy Act of 1974 (Privacy Act) governs Federal agencies' collection, use, and dissemination of individuals' records maintained in an SOR. CMS maintains SORs, and its disclosures of records must be consistent with the Privacy Act. Further, the Privacy Act requires CMS to implement safeguards that protect records maintained in an SOR and to account for any disclosures. Among other things, CMS uses a data use agreement (DUA) to ensure its disclosures are in compliance with the Privacy Act. A DUA is the legally binding agreement that contains the written terms and conditions that govern each disclosure. Entities are required to submit a DUA and DUA-related documents to CMS prior to the disclosures.


We reviewed data requests approved or renewed by CMS between September 2006 and August 2011. We limited our review to approved data requests from health-related SORs. We used the DUA tracking number generated by the Data Agreement and Data Shipping Tracking System (DADSS) to identify our population of approved requests. We selected a simple random sample of 150 approved requests using the DUA tracking number. We interviewed CMS staff and reviewed SOR notices, CMS policies, and documents in the user agreement files, i.e., the DUA and/or DUA-related documents. We project our findings to our population.


For at least 98 percent of all approved data requests in our sample, CMS's disclosures of records were consistent with the routine uses identified in the SOR notices. Five percent of all data files disclosed by CMS were not requested in the DUAs or updated DUAs. CMS did not have the DUAs on file for 33 percent of all user agreement files. The absence of a DUA may limit CMS's ability to verify what data were requested. For 29 percent of the user agreement files, CMS extended entities' use of data without documentation of requests for extensions. Fifteen percent of DUAs were both expired and not closed properly by the entities.


We recommend that CMS (1) develop a process to ensure that the data requested are the ones disclosed to the entity; (2) ensure that the DUA and DUA-related documents are in a user agreement file; (3) ensure that entities submit the required documents to properly close their DUAs; (4) use a standardized, documented process for requesting and approving DUA extensions; and (5) ensure that expiration dates are consistent between the DUA and DADSS. CMS concurred with all five recommendations. In its agency response, CMS stated that it was replacing DADSS with the Enterprise Privacy Policy Engine, an electronic information system designed to provide a 100-percent-traceable record of CMS's data disclosures.